The Top 15 Security Posts – Vetted & Curated
*Threats & Defense*
1. NSA: Russia’s Sandworm Hackers Have Hijacked Mail Servers (Wired, May 28 2020)
In a rare public warning, the US spy agency says the notorious arm of Russian military intelligence is targeting a known vulnerability in Exim.
2. Malware opens RDP backdoor into Windows systems (Help Net Security, May 26 2020)
A new version of the Sarwent malware can open the Remote Desktop Protocol (RDP) port on target Windows computers to make sure that crooks can find their way back into the system through the backdoor. Whether that access is used later by the same crooks or sold to ransomware gangs or cyber espionage groups is unknown, but affected users should know that removing the malware does not close that particular “backdoor”.
3. GitHub Supply Chain Attack Uses Octopus Scanner Malware (Dark Reading, May 28 2020)
Octopus Scanner is a new malware used to compromise 26 open source projects in a massive GitHub supply chain attack.
Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~14,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras
*AI, IoT, & Mobile Security*
4. Apple Patches Recent iPhone Jailbreak Zero-Day (SecurityWeek, Jun 02 2020)
Apple on Monday released security patches to address a zero-day vulnerability that had been used to jailbreak iPhones running iOS 13.5.
5. Walmart employees are out to show its anti-shoplifting AI doesn’t work (Ars Technica, May 31 2020)
The retailer denies there is any widespread issue with the software.
6. Critical Android flaw lets attackers hijack almost any app, steal data (WeLiveSecurity, May 27 2020)
Left unpatched, the vulnerability could expose almost all Android users to the risk of having their personal data intercepted by attackers
*Cloud Security, DevOps, AppSec*
7. “Sign in with Apple” Vulnerability (Schneier on Security, Jun 02 2020)
“Researcher Bhavuk Jain discovered a vulnerability in the “Sign in with Apple” feature, and received a $100,000 bug bounty from Apple. Basically, forged tokens could gain access to pretty much any account.
It is fixed.”
8. Most companies suffered a cloud data breach in the past 18 months (Help Net Security, Jun 03 2020)
Nearly 80% of the companies had experienced at least one cloud data breach in the past 18 months, and 43% reported 10 or more breaches, a new Ermetic survey reveals. According to the 300 CISOs that participated in the survey, security misconfiguration (67%), lack of adequate visibility into access settings and activities (64%) and identity and access management (IAM) permission errors (61%) were their top concerns associated with cloud production environments.
9. This Bot Hunts Software Bugs for the Pentagon (Wired, Jun 01 2020)
Mayhem emerged from a 2016 government-sponsored contest at a Las Vegas casino hotel. Now it’s used by the military—and Netflix.
*Identity Mgt & Web Fraud*
10. Twitter getting better at detecting fraudulent accounts (SC Media, Jun 03 2020)
Twitter this week said that it removed an account that pretended to be Antifa — the anti-fascist organization President Trump has claimed is an instigator of ongoing protests surrounding the police killing of George Floyd — but was actually the handiwork of a white power group.
11. Facebook to verify identities on accounts that churn out viral posts (Naked Security – Sophos, Jun 01 2020)
Hopefully it’s a COVID-19 version of what it did post-2016 elections, when it required verification of those buying political or issue ads.
12. Romanian Skimmer Gang in Mexico Outed by KrebsOnSecurity Stole $1.2 Billion (Krebs on Security, Jun 04 2020)
“An exhaustive inquiry published today by a consortium of investigative journalists says a three-part series KrebsOnSecurity published in 2015 on a Romanian ATM skimming gang operating in Mexico’s top tourist destinations disrupted their highly profitable business, which raked in an estimated $1.2 billion and enjoyed the protection of top Mexican authorities.”
13. Career Choice Tip: Cybercrime is Mostly Boring (Krebs on Security, May 29 2020)
“When law enforcement agencies tout their latest cybercriminal arrest, the defendant is often cast as a bravado outlaw engaged in sophisticated, lucrative, even exciting activity. But new research suggests that as cybercrime has become dominated by pay-for-service offerings, the vast majority of day-to-day activity needed to support these enterprises is in fact mind-numbingly boring and tedious, and that highlighting this reality may be a far more effective way to combat cybercrime and steer offenders toward a better path.”
14. REvil Ransomware Gang Starts Auctioning Victim Data (Krebs on Security, Jun 02 2020)
“The criminal group behind the REvil ransomware enterprise has begun auctioning off sensitive data stolen from companies hit by its malicious software. The move marks an escalation in tactics aimed at coercing victims to pay up — and publicly shaming those who don’t. But it may also signal that ransomware purveyors are searching for new ways to profit from their crimes as victim businesses struggle just to keep the lights on during the unprecedented economic slowdown caused by the COVID-19 pandemic.”
15. Zoom to offer end-to-end encryption only to paying customers (Help Net Security, Jun 04 2020)
As Zoom continues on its path to bring end-to-end encryption (E2EE) to users, the big news is that only paid users will have access to the option. “Free users for sure we don’t want to give that because we also want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose,” Zoom CEO Eric Yuan said on a company earnings call on Tuesday.